>Let's try a little exercise here. Stipulate that it's malice, and then generate the narrative in which malice makes sense.
Sure. Kaspersky creates security software. The FSB benefits from vulnerabilities in antivirus software. Kaspersky knows this and puts company resources into particular areas. ie how to spot the next stuxnet, rather than fix bugs like this.
The FSB does not need to write the source code (for Kaspersky Anti-virus) to benefit from vulnerabilities. In fact NSA, GCHQ, and FSB all benefit from subversion of https.
You can't stop at that point in my comment. You have to read the whole thing first. I'm not asking "does it ever make sense to backdoor Kaspersky AV". Clearly it does.
"your evil backdoor only impacts machines running your software already. " seems to assume that "whatever entity" can freely put in whatever code they want.
I agree that cert collisions is a strange way to backdoor, but to dismiss any questions as to possible malice as "conspiracy theories" seems to ignore many recent events (such as Juniper Networks)
Once again, you're responding to an argument I did not make. I'm not saying this bug doesn't make sense because nobody would want to backdoor Kaspersky AV. Clearly they would. I'm saying it doesn't make sense because it doesn't make sense as a backdoor. It provides the attacker with far less access than they already have, and does so in a way that leaves tracks all over the Internet even when the "backdoor" isn't "in use".
Sure. Kaspersky creates security software. The FSB benefits from vulnerabilities in antivirus software. Kaspersky knows this and puts company resources into particular areas. ie how to spot the next stuxnet, rather than fix bugs like this.
The FSB does not need to write the source code (for Kaspersky Anti-virus) to benefit from vulnerabilities. In fact NSA, GCHQ, and FSB all benefit from subversion of https.